Published by The Lawfare Institute
in Cooperation With
The NSA has not been authorized by Congress or the special intelligence court that oversees foreign surveillance to collect contact lists in bulk, and senior intelligence officials said it would be illegal to do so from facilities in the United States. The agency avoids the restrictions in the Foreign Intelligence Surveillance Act by intercepting contact lists from access points “all over the world,” one official said, speaking on the condition of anonymity to discuss the classified program. “None of those are on U.S. territory.”Because of the method employed, the agency is not legally required or technically able to restrict its intake to contact lists belonging to specified foreign intelligence targets, he said. When information passes through “the overseas collection apparatus,” the official added, “the assumption is you’re not a U.S. person.”In practice, data from Americans is collected in large volumes---in part because they live and work overseas, but also because data crosses international boundaries even when its American owners stay at home. Large technology companies, including Google and Facebook, maintain data centers around the world to balance loads on their servers and work around outages.A senior U.S. intelligence official said the privacy of Americans is protected, despite mass collection, because “we have checks and balances built into our tools.”NSA analysts, he said, may not search within the contacts database or distribute information from it unless they can “make the case that something in there is a valid foreign intelligence target in and of itself.” In this program, the NSA is obliged to make that case only to itself or others in the executive branch. With few exceptions, intelligence operations overseas fall solely within the president’s legal purview. The Foreign Intelligence Surveillance Act, enacted in 1978, imposes restrictions only on electronic surveillance that targets Americans or takes place on U.S. territory. By contrast, the NSA draws on authority in the Patriot Act for its bulk collection of domestic phone records, and it gathers online records from U.S. Internet companies, in a program known as PRISM, under powers granted by Congress in the FISA Amendments Act. Those operations are overseen by the Foreign Intelligence Surveillance Court.
claims that the aim of the Times "was never to declare the program legal or illegal, effective or ineffective." Its objective was instead to "lay out the facts of the program and let people decide for themselves what they thought of it." And Lichtblau adds that the story was, "above all else, an interesting yarn about the administration's extraordinary efforts since 9/11 to stop another attack," as if its aesthetic merit were relevant to the decision to publish. This is hardly the careful exercise of judgment about whether public accountability warrants a compromise of national security that Lichtblau and the Times promised us. It is, instead, the casual renunciation of such judgment.I'm curious what the judgment here on the Post's part looks like. Is it just that that the story was an interesting yarn? The Snowden leaks are supposedly justified despite the fact that they reveal sensitive intelligence sources and methods, because they shed light on something important for the public to know. I can certainly see that argument with respect to, say, the 215 program, where the activity in question was both unknown to the public and reliant on an interpretation of the law that many experts question. And to be sure, the Post has never claimed that it will only reveal classified material when that material suggests illegality. But like other responsible news organizations, it does purport to balance the public interest in the material in question against the damage that publication risks to security interests. Here is how Gellman himself has described it: "There are easy questions of secrecy as well as hard ones. Sometimes strong security interests collide with weak public interests in disclosure. We do not publish the names of clandestine agents; future combat operations of the U.S. military; technical details that would enable defeat of U.S. weapons or defenses; or anything, broadly speaking, that puts lives at concrete and immediate risk" (emphasis added). I'm not sure if publishing technical details of this collection activity violates the principle Gellman articulates here, but it sure comes close---particularly in the absence of any suggestion of impropriety in the program in question. Here the public interest in disclosure seems, at least to me, remarkably weak, after all. At the policy level, the entire story amounts to nothing more than the proposition that NSA is under 12333 collecting large volumes of live-stream data, storing it, and protecting U.S. person material within that data only through minimization requirements. We knew all of that already. So what does this story reveal that we didn't already know? A specific collection method that people can now frustrate and a particular interest in collecting contact lists. In other words, here the Post does not seem to be balancing the costs of the disclosure against its benefit to the public interest. The costs, rather, are the benefit to the public interest. Put another way, I can't quite shake the feeling that my old newspaper is now blowing secrets merely for the sake of doing so.